IBM Support

Problem with removing a child domain in an Active Directory Forest

Troubleshooting


Problem

Active Directory Domain Demotion

Symptom

  • When you try to demote the last domain controller in a child domain, it fails.
  • The server is still a domain controller after the demotion reports that it was successful.
  • The last domain controller is a Windows 2000 Server in a mixed environment which contained.
  • You observe the DCPromo log (c:\windows\debug\DCPromo.log), and find the following:

02/02 06:34:14 [INFO] Error - According to the information stored locally, this dc is the last dc in the domain, and the domain has a child domain. (8398)

02/02 06:34:14 [INFO] NtdsDemote returned 8398

02/02 06:34:14 [INFO] DsRolepDemoteDs returned 8398

02/02 06:34:14 [ERROR] Failed to demote the directory service (8398)

  • You then try using the NTDSUTIL tool from the forest root domain controller to delete the child domain and get the following error:

DsRemoveDsDomainW error 0x2015

Cause

When you promote a Windows Server 2003 server to a Domain Controller, it creates a naming context (DC=DomainDnsZones) in the application partition.

  • If the last Domain Controller in the child domain is a Windows 2000 Server, it checks Active Directory and finds this naming context and thinks it's a child domain.
  • The child domain thinks it has another child domain, which causes DCPromo to fail.

Environment

Active Directory

Diagnosing The Problem

Check: System Event Logs, Directory Services Event Logs, and DCPromo Log

Resolving The Problem

Solution :

1. You have to remove the DomainDNSZones naming context in Active Directory by using the following steps (Make sure you are running these steps on the forest root domain controller):
"DsRemoveDsDomainW error 0x2015" error message when you use Ntdsutil to try to remove metadata for a domain controller that was removed from your network in Windows Server 2003
http://support.microsoft.com/kb/887424/

- Click Start, click Run, type ntdsutil, and then press ENTER.
- At the Ntdsutil command prompt, type domain management, and then press ENTER.
- Type connections, and then press ENTER.
- Type connect to server Domain_Controller_Name, and then press ENTER.
- After the following message appears, type quit, and then press ENTER:
- Connected to Domain_Controller_Name using credentials of locally logged on user
- At the domain management prompt, type list, and then press ENTER.
- Note the following entry:
- DC=DomainDnsZones,DC=Child_Domain, DC=extension
- For example, if the child domain is Contoso.com, note the following entry:
- DC=DomainDnsZones,DC=contoso,DC=com
- Type the following command, and then press ENTER.
- delete nc dc=domaindnszones,dc=Child_Domain,dc=extension
- Note: In this command, Child_Domain represents the name of the child domain that you want to remove. For example, if the child domain is Contoso.com, type the following command, and then press ENTER:
- delete nc dc=domaindnszones,dc=contoso,dc=com
- Quit Ntdsutil.

2. Use NTDSUTIL to delete the domain controller from the child domain.
How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/kb/216498

3. Then use NTDSUTIL on the Forest Root DC to delete the child domain.
- C:\>ntdsutil
- ntdsutil: metadata cleanup
- metadata cleanup: connections
- server connections: connect to server DC01
Binding to DC01 ...
Connected to titanic using credentials of locally logged on user
- server connections: quit
- metadata cleanup: select operation target
- select operation target: list domains
Found 3 domain(s)
0 - DC=Microsoft,DC=com
1 - DC=Child1,DC=Microsoft,DC=com
2 - DC=Child2,DC=Microsoft,DC=com
- select operation target: select domain 2
Site - CN=London,CN=Sites,CN=Configuration,DC=Microsoft,DC=com
Domain - DC=Child2,DC=Microsoft,DC=com
No current server
No current Naming Context
- select operation target: quit
- metadata cleanup: remove selected domain

4. On the last domain controller (Windows 2000 Server), you can run DCPROMO /Forceremoval (Start >> Run) to remove any Active Directory information from that server.

How to prevent this from happening:

- If you have a child domain which contains mixed domain controllers (Windows 2000 Server, and Windows Server 2003), you have to demote the Windows Server 2003 domain controllers last. With new operating systems come new changes to the schema and Active Directory Partitions. Older operating systems may not understand these changes.

[{"Product":{"code":"SSYYZB","label":"IBM Support for Microsoft Applications"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF033","label":"Windows"}],"Version":"1.0","Edition":"Enterprise","Line of Business":{"code":"LOB61","label":"IBM Technology Lifecycle Services"}}]

Document Information

Modified date:
03 January 2022

UID

isg3T1011443

Page Feedback